This KQL query can be used to detect post exploitation activities related to CVE-2024-3094. This vulnerability is related to reports of malicious code being embedded in XZ Utils versions 5.6.0 and 5.6.1.
Multiple sources suggest that the malicious code is ingested in functions that SSHD leverages to bypass authentication features, this is yet to be confirmed.
If you only want to list devices with the vulnerable version use:
DeviceTvmSoftwareInventory
| where SoftwareName has "xz"
| where SoftwareVersion has "5.6"
| distinct DeviceName let VulnerableXZDevices = DeviceTvmSoftwareInventory
| where SoftwareName has "xz"
| where SoftwareVersion has "5.6"
| distinct DeviceId;
DeviceNetworkEvents
| where DeviceId in (VulnerableXZDevices)
| where ActionType == "InboundConnectionAccepted"
| where InitiatingProcessFileName contains "ssh"
| extend GeoIPInfo = geo_info_from_ip_address(RemoteIP)
| extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude) let VulnerableXZDevices = DeviceTvmSoftwareInventory
| where SoftwareName has "xz"
| where SoftwareVersion has "5.6"
| distinct DeviceId;
DeviceNetworkEvents
| where DeviceId in (VulnerableXZDevices)
| where ActionType == "InboundConnectionAccepted"
| where InitiatingProcessFileName contains "ssh"
| extend GeoIPInfo = geo_info_from_ip_address(RemoteIP)
| extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude) Have you ever come across a picture on the internet and wondered where it came…
Overview WhatsMyName is a free, community-driven OSINT tool designed to identify where a username exists…
Managing disk usage is a crucial task for Linux users and administrators alike. Understanding which…
Efficient disk space management is vital in Linux, especially for system administrators who manage servers…
Knowing how to check directory sizes in Linux is essential for managing disk space and…
Managing user accounts is a core responsibility for any Linux administrator. Whether you’re securing a…